Archive for May, 2013

Microsoft has given a first look at Windows 8.1, the free update to Windows 8 that it plans to deliver this autumn.

Though it will disappoint some, it should surprise few to learn that Windows 8.1 will not revert all the user interface changes made in Windows 8. Instead, 8.1 will be an incremental update that builds on the Windows 8 interface and its Metro design, but does not replace it.

As such, Windows 8.1 still has the Start screen. It is, however, a more customizable Start screen. There are new tile sizes: a double height tile, to allow apps to show more information, and a smaller tile size, to allow apps to be packed more tightly. There are more options for the Start screen background and colors, including animated backgrounds and the ability to use the same background as used on the desktop. This last change should make the Start screen feel a little less visually disconnected from the desktop world.

Todd Kuehnl has been a developer for nearly 20 years and says he’s tried "pretty much every language under the sun."

But it was only recently that Kuehnl discovered Go, a programming language unveiled by Google almost four years ago. Go is still a new kid on the block, but for Kuehnl, the conversion was quick. Now he says "Go is definitely by far my favorite programming language to work in." Kuehnl admitted he is "kind of a fanboy."

I’m no expert in programming, but I talked to Kuehnl because I was curious what might draw experienced coders to switch from proven languages to a brand new one (albeit one co-invented by the famous Ken Thompson, creator of Unix and the B programming language). Google itself runs some of its back-end systems on Go, no surprise for a company that designs its own servers and much of the software (right down to the operating systems) that its employees use. But why would non-Google engineers go with Go?

This is just a picture, but you can try Go within the browser at golang.org.

Kuehnl is the head of engineering for Beachfront Media, which recently announced a new platform called Beachfront.iO that serves video ads to mobile devices and tablets. Kuehnl spent three months leading development of the platform, saying he chose Go in large part because of how it enables concurrency, the ability for computations to execute simultaneously and interact with each other while they’re running.

Beachfront.iO "needs to service millions upon millions of requests a day, upwards of 5 to 10 thousand transactions per second and do this very reliably," Kuehnl said. "I was looking at different stacks and doing benchmarks to figure out how it would be most productive and most performant … and that’s where I came across Go."

The code written in Go performs all the heavy lifting on the back-end, including load balancing and choosing which ads to serve up when and where.

"The issue for PHP and even Node.js is obviously you’re trapped in a single-threaded situation and what I really wanted was to be able to do a lot of things concurrently," Kuehnl continued. "My options were to go with something like Java, where you have more memory overhead, or I could go with something like Go that was built from the ground up for concurrency and using very modern patterns."

Kuehnl said Go combines those modern concurrency patterns with the "static execution speed of C or C++" but with "a more compositional feel, a script kind of feel. … I started first with the idea of trying to pick the most high-performance modern language, but as I explored it more the beauty of the language presented itself."

Beachfront runs its video ad service on Ubuntu Linux servers hosted in the Amazon Elastic Compute Cloud. Go performs well even on cloud-based virtual machines (albeit large instances with 16GB of RAM), Kuehnl said. This allows Beachfront to minimize one of the pain points of advertising—lengthy delays that cause users to give up and move to a different website or app. "With Go, I’m able to have an ad up and running within 200 milliseconds, which is orders of magnitude faster than some of these legacy networks," he said. Go’s compiler is so fast "it’s almost like working in an interpreted language," he said.

He’s not the only one

Google unveiled version 1.1 of Go earlier this month, promising a big speed boost. (Kuehnl said he’s already using the new version.) Google, which is also developing a JavaScript alternative called Dart, declined an interview request from Ars about the future of Go. Google noted, however, that Go is used internally by the company for "core infrastructure services; cluster management; large-scale distributed processing, including some uses of MapReduce; [and in] tools for software development."

At least one project using Go did end in failure. That was a Kickstarter-funded game called "Haunts: The Manse Macabre." The developer blamed much of the trouble on Go itself, but his descriptions seem to indicate the problems were mostly self-inflicted through poor planning and version control. The developer cited "the shifting code base of the Go programming language" and the fact that the language is "new and not well supported." But he also noted that the code his team developed is "buggy and incomplete" and that the original programmer on the project took on a new job and "has not responded to additional requests for aid or insight into solving" the fundamental problem that the game code can’t be compiled.

Go has worked out well for numerous other users. A developer named Dotan Nahum recently used Go to build a remote management system for the Raspberry Pi called Ground Control.

Nahum told me via e-mail that he chose Go for its "performance, concurrency, and simplicity." Ground Control required a Web server and monitoring daemon, and his options "were to either go with C and write a pure C-based solution, or use something I knew was the closest thing to C in concept and offered great performance (in its recent version): Go."

Nahum wasn’t sure how Go would work on the Pi’s ARM architecture, but it turned out the Pi "took everything I threw at it without any problems."

Nahum further stated:

Being polyglot for a long time now, I use the right tool for the job. Instead of being stuck fitting square pegs into round holes (which sadly many programmers do), I keep exploring more and more platforms and languages in order to gain high expertise in those and understand what situations call for the right platform and language.

In my opinion Go gives you great performance—which is easy to verify yourself and is more or less a fact; but what’s more arguable is that I think it gives you great concurrency. More precisely I think it gives you great concurrency, and simple concurrency, for the amount of effort you put in.

I see Go as simple in general, too. It doesn’t try claim it is a superstar like other languages have in the past, it has simple language constructs (in my opinion), and the ecosystem is very humane—from the documentation to the developers’ general approach. I think you can attribute those properties to languages like Ruby and Clojure too—I see Go as a distant relative.

Go still has some growing up to do, though—no surprise given how new it is. Nahum said alternatives like Ruby and Node.js have more complete ecosystems and that Go’s packaging and dependencies could stand some improvement. "If you make a few searches, you’ll see some confusion there and several alternate solutions for what exists right now to specify your dependencies," Nahum wrote. "Some say that it’s just a matter of people not getting it right, and some say that it shouldn’t work the way it does right now. I’m not so fond of the way it works right now, but I can also make do for now—it could have been much worse (I don’t want to say which language I’m talking about :)."

Kuehnl noted that Go is probably not yet the best choice for creating desktop apps with graphical user interfaces, or for gaming. "I think Go fits best for what it’s really being used for in Google, which is back-end services, back-end processes, data analysis, things like that," he said.

Kuehnl watched some video lectures and read documentation about Go when he was learning the language, and said it didn’t take him to figure out how best to use it.

"There’s sort of a C kind of feel to it but it’s definitely different, it’s got some influences from Haskell and some other languages in regard to some of the concurrency aspects," he said. "I found Go to be very natural really within a few days. What I love about Go is it gives all these powerful concurrency patterns and you can get really creative with it. At this point I don’t have to think about it. I just think about the problem I’m trying to solve and there’s a lot of really elegant ways to go about it with Go."

Neutral party: Julius Genachowski, then-chairman of the FCC, speaks during a hearing on net neutrality in Washington, D.C., in 2010.

This fall, Verizon will try to persuade a federal judge to throw out U.S. Federal Communications Commission regulations requiring “net neutrality”—the idea that all content and applications must get similar treatment on wired and wireless networks.

But even beyond the court fight, the concept is under a diffuse and broad assault. Experts warn that the end of net neutrality would mean that deep-pocketed content providers could squeeze others out.

Net neutrality is being eroded on several fronts. New content deals and services are increasingly pushing against the concept. And a crop of emerging wireless routing technologies—ones that prioritize data in sophisticated ways—are challenging the concept that all data packets are equal.

So in some ways, the regulations are already being skirted. “There are some apparent loopholes that can be exploited, and the providers are exploiting them,” says John Bergmayer, a staff attorney with Public Knowledge, an open-Internet group in Washington, D.C. “The arguments get complex because what they are doing is more subtle.”

BEIJING — Name a target anywhere in China, an official at a state-owned company boasted recently, and his crack staff will break into that person’s computer, download the contents of the hard drive, record the keystrokes and monitor cellphone communications, too.

Pitches like that, from a salesman for Nanjing Xhunter Software, were not uncommon at a crowded trade show this month that brought together Chinese law enforcement officials and entrepreneurs eager to win government contracts for police equipment and services.

“We can physically locate anyone who spreads a rumor on the Internet,” said the salesman, whose company’s services include monitoring online postings and pinpointing who has been saying what about whom.

The culture of hacking in China is not confined to top-secret military compounds where hackers carry out orders to pilfer data from foreign governments and corporations. Hacking thrives across official, corporate and criminal worlds. Whether it is used to break into private networks, track online dissent back to its source or steal trade secrets, hacking is openly discussed and even promoted at trade shows, inside university classrooms and on Internet forums.

Federal authorities seized LibertyReserve.com and four other related domain names, effectivelyshutting down the site. The site’s founder, Arthur Budovsky Belanchuk (who apparently renounced his US citizenship in 2011 to become a Costa Rican citizen), was arrested last Friday.

In a 27-page indictment (PDF), the defendants are charged with money laundering and conspiracy to operate unlicensed money transmitting business. They are ordered to surrender "all property, real and personal” including: “at least $6 billion” and tens of millions of dollars more allegedly contained within bank accounts across Costa Rica, Cyprus, Russia, Hong Kong, Morocco, China, Spain, Latvia, and Australia.

Thanks to the XKCD comic, every password cracking word list in the world probably has correcthorsebatterystaple in it already.

Aurich Lawson

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger.")